You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2019/08/15 02:19:34 UTC
[commons-beanutils] branch master updated: (update) put 1.9.4 docs
into 2.x master
This is an automated email from the ASF dual-hosted git repository.
chtompki pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
The following commit(s) were added to refs/heads/master by this push:
new 25381c1 (update) put 1.9.4 docs into 2.x master
25381c1 is described below
commit 25381c1370dba6a91401a4e4891de1e46a902a55
Author: Rob Tompkins <ch...@gmail.com>
AuthorDate: Wed Aug 14 22:17:54 2019 -0400
(update) put 1.9.4 docs into 2.x master
---
src/changes/changes.xml | 14 ++++++++++++++
src/site/xdoc/index.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 58 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 14676d6..d5fb5b7 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -65,6 +65,20 @@
</action>
</release>
+ <release version="1.9.4" date="2019-08-13" description="The primary reason for this release is a bugfix for
+CVE-2014-0114. More specifically, our goal with BEANUTILS-520
+is to set the default behaviour of the BeanUtilsBean
+to not allow class level access. The goal in doing this now
+is to bring 1.9.X into alignment with the same behaviour
+of the 2.X version line in regards to security.
+If one would like to opt out of the default behaviour, one could follow the
+example set out in the test class available in
+src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.">
+ <action issue="BEANUTILS-520" dev="chtompki" type="fix" due-to="Melloware">
+ BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils).
+ </action>
+ </release>
+
<release version="1.9.3" date="2016-09-21" description="Bug fix release, now builds with Java 8">
<action issue="BEANUTILS-433" dev="ggregory" type="update" due-to="Benedikt Ritter, Gary Gregory">
Update dependency from JUnit 3.8.1 to 4.12.
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index 7293b82..c5a77b9 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -115,6 +115,50 @@ Bean Collections has an additional dependency on
</ul>
</subsection>
<subsection name="1.9.x releases">
+ <p>
+ The latest BeanUtils release is available to download
+ <a href="http://commons.apache.org/beanutils/download_beanutils.cgi">here</a>.<br/>
+ <em><strong>1.9.4</strong></em><br/><br/>
+ <ul>
+ <li><a href="http://commons.apache.org/beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt">Release Notes</a></li>
+ <li><a href="http://commons.apache.org/beanutils/javadocs/v1.9.4/apidocs/index.html">JavaDoc</a></li>
+ </ul>
+ <strong>CVE-2019-10086.</strong> Apache Commons Beanutils does not suppresses
+ the class property in bean introspection by default.<br/><br/>
+ <strong>Severity.</strong> Medium<br/><br/>
+ <strong>Vendor.</strong> The Apache Software Foundation<br/><br/>
+ <strong>Versions Affected.</strong> All versions commons-beanutils-1.9.3 and before.<br/><br/>
+ <strong>Description.</strong> In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for
+ an attacker to access the classloader via the class property available on all Java objects. We, however were not
+ using this by default characteristic of the PropertyUtilsBean.<br/><br/>
+ <strong>Mitigation.</strong> Upgrade to commons-beanutils-1.9.4<br/><br/>
+ <strong>Credit.</strong> This was discovered by Melloware (https://melloware.com/).<br/><br/>
+ <strong>Example.</strong>
+ <source>/**
+* Example usage after 1.9.4
+*/
+public void testSuppressClassPropertyByDefault() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ final AlphaBean bean = new AlphaBean();
+ try {
+ bub.getProperty(bean, "class");
+ fail("Could access class property!");
+ } catch (final NoSuchMethodException ex) {
+ // ok
+ }
+}
+
+/**
+* Example usage to restore 1.9.3 behaviour
+*/
+public void testAllowAccessToClassProperty() throws Exception {
+ final BeanUtilsBean bub = new BeanUtilsBean();
+ bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ final AlphaBean bean = new AlphaBean();
+ String result = bub.getProperty(bean, "class");
+ assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
+}</source>
+ </p>
<p>
BeanUtils <strong>1.9.x</strong> releases are binary compatible (with a minor exception
described in the release notes) with version 1.8.3 and require a minimum of